The JISC (Joint Information Systems Committee) engaged in a major exercise to promote and implement Federated Access Management (FAM) nationally. This included a nationwide infrastructure being put in place to facilitate new levels of online collaboration and sharing of resources. JISC worked with Becta to bring HE, FE and schools (LEAs) into a common system of access. The research and support exercise for this led to a considerable body of knowledge and case studies for implementing Federated Access Management at an institution.
Currently, JISC are running an "Access and Identity" Programme looking at the associated processes, policies and technology. This complements the UK Federation service which is supported by JANET (funded by JISC and Becta).
- What is Federated Access Management?
Access management is essentially the topic of how best to give access for users (students and staff) to electronic resources within a college / institutional network, within a collaborative group of institutions, staff or students, or over the internet.
Taking a "federated" approach implies collaboration / signing up to a common agreement to manage this kind of access. This may mean forming an alliance between colleges, between all UK educational institutions, or even wider on a cross-sectoral / international basis.
In the UK education many institutions and service providers have moved to a Federated Access Management system (e.g. Shibboleth) for next generation access to electronic resources and inter-institutional collaboration, with seamless single sign-on to quality academic resources for end users. Below is a short animated video explaining the key concepts and benefits of Access Management (if you have trouble viewing it, the video and script can be downloaded from here).
How does it work?
Federated Access provides a secure method of authorisation which uses authentication by the user's own institutional login process. In technical terms this option involves having your own IdP (Identity Provider) based on SAML-compliant technologies (i.e. the standard method for exchanging such information). A college could develop, run and support this internally; or have the IdP provided and supported by a third party (or any mixture of the two). In all cases the user credentials are not held outside your control.
In practical terms, following a strategy meeting between SMT/LRC/IT Services, things will begin with an institutional audit of the existing information structure within the institutional directory (which can be a useful process to go through anyway), to ensure that it meets the required standards for exchanging information, looking at issues such as server requirements, directory and authentication development, attribute requirements, firewall access, SSL certification, joining the UK Federation, and creating a deployment timeline.
What are the technical requirements for an institution to implement the system?
From a technical perspective the skills needed to set up as a Shibboleth Identify provider (IdP) are:
- Software such as Apache Tomcat, Java, SSL/HTTPS and (possibly) MySQL.
- Knowledge of LDAP and the college internal directory.
- Windows or Linux/Unix (it can run on either).
- Hardware can be fairly light, if using a virtual server environment then a single virtual machine with about 1-2GB of memory should sufficient.
- Timescales: if you are quick and prepared you can install it in a day or two. In the real world of work, probably over a minimum period of a month.
- Some red tape needs to be dealt with e.g. joining the UK Federation and registering to use the JANET Certificate Service (if you are not already using it).
- Then there is usually work for LRC staff in contacting resource providers once the IdP goes live.
- Ongoing maintenance: there is of course software version updates, which shouldn't take a huge amount of time. Big version changes need planning. There's some maintenance to attributes and attribute resolution (which depends how many resources you have, what they are and whether they need changes).
Jisc & the UK Federation
The UK Federation provide details of support on their website:
Support calls should now be directed to the JANET helpdesk:
Tel: 0300 300 2212 (UK)
+44 1235 822 212+44 1235 822 212 (International)
Third Party Support (Paid For)
There is always the option of outsourcing the installation and ongoing maintenance. Jisc produced a briefing paper titled 'Third Party Providers of Federated Access Management Solutions: Guide for Institutions' aimed at UK higher and further education institutions that wish to adopt federated access management and join the UK Access Management Federation, either by using paid-for support or by subscribing to an 'outsourced Identity Provider'. Download it here. There is also information here. Several Welsh colleges have gone down this support route.
Jisc RSC Wales
Jisc RSC Wales can also provide assistance, for example by brokering links with other colleges who have successfully installed FAM. Please contact our Support desk: firstname.lastname@example.org
- More Information
- Shibboleth Videos from RSC NW and Kidderminster College
- RSC Wales' Learning Resources blog
- RSC Wales' Technical blog
- RSC Wales' links on Access Management
- Eduserv is a commercial supplier of FAM solutions (including the Athens service). They have an introduction to Access & Identity issues as well as a webinar video.